Why Your Passwords Are Easy To Hack

4 minute read

Social media accounts, banking, online shopping. We all have to keep more passwords than we can count, and that makes it tempting to use passwords that are easy to remember..

But if you have an easy-to-remember password, it’s also simple enough for hackers to figure out what it is, says Emmanuel Schalit, CEO of password management service Dashlane.

“The only solution that can resist the type of attacks that hackers have been able to mount is to have really, really random passwords which are by definition impossible to remember,” he says.

If you don’t believe him, just look at the math. According to Schalit, Dashlane has close to 3 million users, 75% of whom are from the U.S. Shallot says research has shown people only have the ability to remember up to 10 passwords, though users with incredible memories (or if their passwords are very simple) could recall up to 20.

But it’s not just about remembering the passwords, says Schalit, it’s about remembering which one goes with which website. And here’s the kicker: Dashlane users average between 50 and 60 different online accounts each. How many do you have?

Password Patterns: Predictable or Foolproof?

If you’re going to try to remember your 50-plus passwords but still make them unique, you might be tempted to have some sort of a pattern, like using the website’s name in your password, for example. Bad move, says Schalit, because cyber crooks are already onto you. That was a solution that could have worked two or three years ago, he says, but today it’s something hackers routinely crack.

“They actually built specialized hardware designed just for that,” he says. “They can almost instantly guess what variations you’ve come up with for other websites and test that very, very quickly.”

Another password pattern people try is using the first letter of words in a sentence or from favorite song lyrics. Again, says Schalit, this pattern is likely to fail because you’ll use that password on more than one site — which is a very dangerous thing to do.

Schalit likens passwords to keys to enter your digital home. When you use a password for a website, you are giving that key to whomever runs that website — and if they get hacked or aren’t trustworthy, you’re potentially giving it to everyone else on the web, too. But if that particular key opens other locks (or, more accurately, is used as a password on other websites), you’re letting anyone — hackers, rogue employees of the first website — run rampant in your digital home. Also, depending on how sites collect your information and maintain security, people could even use your information to gain access to your email, which could be devastating.

The Solution: Forget Your Password

While it may seem counter-intuitive, the best way to remember your passwords is to create ones that you’re going to forget. Random strings of characters are the hardest thing for hackers to crack, and are the best way to have a different password on every website. “Unfortunately in today’s world, given the number of devices and the number of accounts we have, you need a system and a tool to do that,” says Schalit.

In fairness to him, he did not recommend his company’s service for this story, but I will. Dashlane, like its competitors 1Password and LastPass, collects and locks down users’ passwords in an encrypted database accessible by one password (or in the case of their iOS apps, a fingerprint on the Touch ID scanner). All three are great for managing not just the dozens of logins that most users have these days, but they work across multiple devices, too.

1Password is a great solution for Apple users, as it integrates with the Safari browser and has a well-designed iOS app. LastPass, meanwhile, is a little better for tech-savvy users, especially if they work across multiple platforms — it even has a Blackberry app.

But all three tools (including Dashlane) run on Windows, Android, and Mac/iOS and include password auditing tools that are key for untangling this mess. These tools will look at your password usage across your various accounts, and not only tell you when you’ve used the same password twice, but also when they are overly simple and in-secure. And coming soon, Dashlane has a password changing tool which will allow users to swap out their tired old login information with new, secure strings with only a click. People are lining up to try it out, with more than 50,000 users signed for when it launches soon.

More Must-Reads From TIME

Contact us at letters@time.com